Forum Discussion

Collins_Kouam's avatar
Collins_Kouam
Copper Contributor
Oct 30, 2023
Solved

All messages sent outside my organization are not encrypted

Hi community Experts,    I have an exchange configuration as follows: . 2 servers (a Mailbox & an Edge Transport) run under windows 2022 . Exchange server 2019 installed on the 2 servers. I foll...
Exchange Server
  • Collins_Kouam's avatar
    Collins_Kouam
    Nov 06, 2023
    Hello community experts,

    I'm happy to inform you that I've just solved my problem.
    The problem wasn't related to my exchange servers at all, but rather to my Firewall/Router.

    There was a rule in my Firewall/Router that prevented my edge transport server from using START TLS.
    I hope this may help others in their troubleshooting process.

    Thank you all for your answers.
    Collins_Kouam
Dan_Snape's avatar
Dan_Snape
Bronze Contributor
Oct 30, 2023
Encryption of the actual email message is not something that is done by default, and usually only done when absolutely required. If you are talking encryption of the communications between servers, Exchange by default will use TLS as long as it can be negotiated between the sending and receiving parties. You can force TLS for all communications or just for certain domains by changing or creating connectors and rejecting connections if TLS is not possible. You can confirm TLS is used for communication by looking at the header of the message as per the below:
Received: from SY4AUS01FT012.eop-AUS01.prod.protection.outlook.com
(2603:10c6:10:201:cafe::af) by SY5P282CA0086.outlook.office365.com
(2603:10c6:10:201::7) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.21 via Frontend
Transport;
  • Collins_Kouam's avatar
    Collins_Kouam
    Copper Contributor
    Oct 31, 2023

    Hello Dan_Snape,  

     

    First of all, thank you for your reply.
    I was referring to the encryption of the communication between the servers, not the encryption of the e-mail message itself; sorry for the misunderstanding.
    As I said in my first message; when I check the log files under C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Edge\ProtocolLog\SmtpSend; I can clearly see that my edge transport server negotiates communication with the other servers without using START TLS, the communication is clear.

    I also mentioned that I was using the same third-party certificate on both my Mailbox and edge Transport server, could this be the cause of my problem?
    On my Mailbox I have associated the IIS IMAP & POP SMTP services with my third-party certificate and on the edge Transport Server only the SMTP service.

    When I telnet from a server outside my organization to my mail server on port 25, I get:

    Telnet mail.example.com

    EHLO mail.example.com
    250-mail.example.com Hello [XX.XX.XX.XX]
    250-SIZE 37748736
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    ...

    Below is the header of a message I sent to my private email:

     

    Received: from mailbox.example.com (192.168.43.1) by mail.example.com (192.168.43.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.27; Mon, 30 Oct 2023 16:57:26 +0100
    Received: from mailbox.example.com (10.0.3.223) by mailbox.example.com (10.0.3.223) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.27; Mon, 30 Oct 2023 16:57:26 +0100
    Received: from mailbox.example.com ([10.0.3.223]) by mailbox.example.com ([10.0.3.223]) with mapi id 15.02.1258.027; Mon, 30 Oct 2023 16:57:26 +0100

     

    Thank you again

    Collins_kouam

Resources